Applications for the CyberCX Academy: All-Women Cohort are now open →

Physical penetration test and physical security site audits

Cyber Security Strategy

Published by Security Testing and Assurance on 23 September 2022

 

Most companies understand the need for robust information security. Large sums are spent on technology aimed at securing networks, systems, and information. However, one of the areas frequently overlooked is physical security.

While an organisation may implement strong authentication, secure code, and comprehensive intrusion prevention controls, even the most secure facility is often subject to vulnerabilities from gaps in physical security.

A facility with gates, guards, and cameras might have a side door with no alarm that employees use for smoke breaks. A company housing sensitive information on systems with multiple layers of authentication might not have any visible identification policy or controls against tailgating, essentially allowing a motivated individual to just walk in and physically take their information.

Rather than just acting as an additional layer, poor physical security can undermine all other controls. There is little use in investing in a comprehensive security solution to protect your vital data if someone can enter a facility unnoticed and take or destroy it from an unlocked laptop.

Physical security is subject to misconceptions that can be devastating – placing surveillance cameras around a secure site and then leaving the feed unmonitored or implementing security controls that can be easily avoided by a convincing social engineer.

Many organisations are blissfully unaware of the gaps in their physical security setup until the worst happens and they lose information or devices. But how can they predict which controls are inadequate before this happens?

Physical penetration testing, in combination with physical site audits, can provide a real-world trial of just how effective those physical security controls are in protecting your people, property, and information, as well as your physical assets.

In a site audit, a professional will inspect your premises’ security profile – observing and taking note of any vulnerabilities that could potentially be exploited to gain access to your valuable information.

During a physical penetration test, the value of the controls in place is rigorously tested by a team of experienced consultants, trained to think like an intruder. Depending on your requirements, the scope of the test can vary widely. It may involve an individual attempting to talk their way into a secure facility during business hours, or tailgate other employees, all the way to an invasive attack on your facility and systems, attempting to enter offices and computer rooms, circumvent alarms or disable cameras and essentially prove the real-world efficacy of your security controls.

In a physical penetration test, motivated individuals act like intruders in that they employ creativity and tenacity as they attempt to breach your defences and gain access. However, rather than stealing or destroying your assets, they then comprehensively report where the vulnerabilities exist so that you can fix the problems and fortify your security.

After this point, additional checks or penetration tests are recommended – to see whether issues have really been fixed, or whether new vulnerabilities have arisen.

 

Physical security threats include:
Icon_personal-and-property-crime
Personal and property crime
Icon_intellectual-property-theft-and-corporate-espionage
Intellectual property theft and corporate espionage
Icon_workplace-violence-from-both-insiders-and-external-parties
Workplace violence from both insiders and external parties
Icon_civil-disturbances
Civil disturbances
Icon_natural-disasters,-industrial-disasters,-and-pandemics
Natural disasters, industrial disasters, and pandemics
Icon_terrorist-acts-and-kidnappings
Terrorist acts and kidnappings
Icon_other-risks,-such-as-disturbed-people-and-traffic-accidents
Other risks, such as disturbed people and traffic accidents

 

 

Robust physical security can help:
Icon_2_keep-your-people,-customers,-and-the-public-safe
Keep your people, customers, and the public safe
Icon_2_prevent-unauthorised-people-accessing-your-premises,-information,-or-assets
Prevent unauthorised people accessing your premises, information, or assets
Icon_2_maintain-the-trust-and-confidence-of-the-people-and-organisations-you-serve-or-work-with
Maintain the trust and confidence of the people and organisations you serve or work with
Icon_2_deliver-services-without-disruption-in-the-event-of-a-heightened-threat-level-or-disaster
Deliver services without disruption in the event of a heightened threat level or disaster
Icon_2_meet your obligations under the Federal Work Health and Safety Act 2011 and local equivalents.
Meet your obligations under the Federal Work Health and Safety Act 2011 and local equivalents.

 

 

Find out how CyberCX can help secure your organisation with physical penetration testing and physical security site audits. 

 

 

Ready to get started?

Find out how CyberCX can help your organisation manage risk, respond to incidents and build cyber resilience.